webOS prone to security attacks

posted by Victor H. / Nov 26, 2010, 9:16 AM

Security researchers have revealed several critical flaws in webOS that allow malicious code to access system functions. Cross-site scripting vulnerabilities could be used to gain remote access to the device and even build a botnet.

Security firm SecTheory researchers Orlando Barrera and Daniel Herrera discovered three major holes – a floating-point overflow issue, a denial of service bug and the cross-site scripting flaw. Meanwhile, HP has worked on at least one of the holes, in the “Contacts” app, and will reportedly have it fixed as of webOS 2.0 beta. However, it seems that the others will remain unaddressed.

Barrera exemplified the findings and explained how XML HTTP Requests, a possible web communication channel, could be used to access the local file system. This means that user data could be extracted from the local database, which could include anything ranging from contact information to passwords and unencrypted messages like emails and SMS. We have seen previous concerns about webOS's security as the SMS client was found to be vulnerable to attacks as well.

The OS is extensively using JavaScript to dynamically run core functionality, while system commands are passed on via HTTP locally. This leaves non-protected user-generated content susceptible to attacks. Just how much should we care about this depends only on what we store in our phones. But smartphones are getting closer to being in everyone's pocket and are becoming a vital part of our personal lives. And this could mean putting security first.

This copy is for your personal, non-commercial use only. You can order presentation-ready copies for distribution to your colleagues, clients or customers at https://www.parsintl.com/phonearena or use the Reprints & Permissions tool that appears at the bottom of each web page. Visit https://www.parsintl.com/ for samples and additional information.